Package Details: rutoken-pkcs 2.17.5.0-3

Git Clone URL: https://aur.archlinux.org/rutoken-pkcs.git (read-only, click to copy)
Package Base: rutoken-pkcs
Description: Интерфейс RSALabs PKCS#11
Upstream URL: https://www.rutoken.ru/support/download/pkcs/
Keywords: pkcs11 rutoken
Licenses: custom:rutoken
Submitter: komex
Maintainer: komex
Last Packager: komex
Votes: 2
Popularity: 0.26
First Submitted: 2024-06-21 15:20 (UTC)
Last Updated: 2025-09-09 00:44 (UTC)

Latest Comments

gifts commented on 2025-08-05 11:07 (UTC) (edited on 2025-08-05 11:08 (UTC) by gifts)

There is an issue with current package install, which prevents usage of ssh-agent + ssh-add -s /usr/lib/librtpkcs11ecp.so Fix as follows:

diff --git a/PKGBUILD b/PKGBUILD
index 2753983..d72402e 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -10,12 +10,10 @@ license=('proprietary')
 options=(!strip)

 _file='librtpkcs11ecp.so'
-_dir="/opt/aktivco/rutokenecp/${arch}"
 source=("${_file}.${pkgver}::http://download.rutoken.ru/Rutoken/PKCS11Lib/${pkgver}/Linux/x64/librtpkcs11ecp.so")
 sha256sums=('f9aeeb433da8bfe9d0fd58b55ae40b901600e999a10d705e948dae6c6f64e016')

 package() {
-       mkdir -p "${pkgdir}${_dir}" "${pkgdir}/usr/lib"
-       cp -L "${srcdir}/${_file}.${pkgver}" "${pkgdir}${_dir}/${_file}"
-       ln -s "${_dir}/${_file}" "${pkgdir}/usr/lib/${_file}"
+       mkdir -p "${pkgdir}/usr/lib"
+       cp -L "${srcdir}/${_file}.${pkgver}" "${pkgdir}/usr/lib/${_file}"
 }

This will install library to /usr/lib rather than making symlink from /opt/aktivco/rutokenecp/.

Why? ssh-agent contains feature, that blocks usage of pkcs11 libraries from arbitrary folders, like /opt. See man ssh-agent:

       -P allowed_providers
               Specify  a  pattern-list  of  acceptable  paths  for  PKCS#11  provider  and FIDO authenticator middleware shared libraries that may be used with the -S or -s options to
               ssh-add(1).  Libraries that do not match the pattern list will be refused.  The default list is “usr/lib*/*,/usr/local/lib*/*”.

To debug I used -d option from for ssh-agent:

ssh-agent -d -a ~/token.socket                                                        
SSH_AUTH_SOCK=/home/user/token.socket; export SSH_AUTH_SOCK;
echo Agent pid 10262;
debug1: new_socket: type = SOCKET
debug2: fd 3 setting O_NONBLOCK
debug1: new_socket: type = CONNECTION
debug2: fd 4 setting O_NONBLOCK
debug1: process_message: socket 1 (fd=4) type 20
debug2: process_add_smartcard_key: entering
refusing PKCS#11 add of "/opt/aktivco/rutokenecp/x86_64/librtpkcs11ecp.so": provider not allowed

With command

$ ssh-add -s /usr/lib/librtpkcs11ecp.so
Enter passphrase for PKCS#11: 
Could not add card "/usr/lib/librtpkcs11ecp.so": agent refused operation

Latter error is quite confusing, but debug for ssh-agent helped a lot. ```

komex commented on 2025-07-23 12:34 (UTC)

@alexeybes93, thank you. Fixed.

alexeybes93 commented on 2025-07-22 08:44 (UTC)

Correct sha256sum should be f9aeeb433da8bfe9d0fd58b55ae40b901600e999a10d705e948dae6c6f64e016

snigurmd commented on 2025-03-03 05:44 (UTC)

It creates a link to the librtpkcs11ecp.so located in the home directory where the package was built. It must install the library directly into the /opt/activco